Does Simple File List have any unpatched vulnerabilities?

Yes — Simple File List currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Simple File List compatible with WordPress 6.9.4?

According to WordPress.org data, Simple File List 6.1.18 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Simple File List compatible with PHP 7.4+?

Simple File List requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Simple File List updated?

Simple File List was last updated on Jan 29, 2026. Frequent updates are generally a positive security signal.

What is Simple File List's security score?

Simple File List has a WP-Safety security score of 40/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Simple File List Security & Risk Analysis

wordpress.org/plugins/simple-file-list

Simple File List gives your WordPress website a list of your files which allows your users to open and download them.

5K active installs v6.1.18 PHP 7.4+ WP 5.0+ Updated Jan 29, 2026

file-listfile-sharingftp-alternativeshare-documentszip-files

D · High Risk

CVEs total15

Unpatched1

Last CVEFeb 9, 2026

Plugin page Download

Safety Verdict

Is Simple File List Safe to Use in 2026?

High Risk

Score 40/100

Simple File List carries significant security risk with 15 known CVEs, 1 still unpatched. Consider switching to a maintained alternative.

15 known CVEs 1 unpatched Last CVE: Feb 9, 2026Updated 2mo ago

Risk Assessment

The "simple-file-list" plugin v6.1.18 exhibits a mixed security posture. While it demonstrates good practices in SQL query handling and output escaping, several significant concerns arise from its attack surface and vulnerability history. The presence of seven unprotected AJAX handlers creates a substantial entry point for attackers, as any of these could potentially be exploited without proper authentication checks. Furthermore, the detection of dangerous functions like `shell_exec` and `exec` warrants careful review, as these can be leveraged for remote code execution if not handled with extreme caution and robust sanitization.

The plugin's historical vulnerability landscape is a major red flag. With 15 known CVEs, including two critical and three high-severity vulnerabilities, there's a clear pattern of past security weaknesses. The common vulnerability types, such as Missing Authorization, Cross-Site Scripting, and Path Traversal, indicate recurring issues with input validation and access control. The existence of a currently unpatched CVE, even if the last reported vulnerability is in the future, suggests that active threats might still be present or that the reporting date is erroneous and the unpatched CVE is a present danger.

In conclusion, while the plugin shows some positive aspects like secure SQL usage, the high number of unprotected entry points, the use of dangerous functions, and a history rife with severe vulnerabilities point to a plugin that requires significant attention. Users should be cautious, and thorough security audits are recommended before deploying this plugin in production environments. The ongoing trend of past vulnerabilities suggests a potential for future exploits.

Key Concerns

7 unprotected AJAX handlers
Use of dangerous functions (shell_exec, exec)
1 currently unpatched CVE
2 critical historical CVEs
3 high historical CVEs
Common vulnerability: Missing Authorization
Common vulnerability: Cross-site Scripting
Common vulnerability: Path Traversal

Vulnerabilities

Simple File List Security Vulnerabilities

CVEs by Year

2 CVEs in 2019

2019

2 CVEs in 2020

2020

3 CVEs in 2022

2022

3 CVEs in 2023

2023

1 CVE in 2024

2024

3 CVEs in 2025 · unpatched

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

15 total CVEs

CVE-2026-24953medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Simple File List <= 6.1.15 - Authenticated (Subscriber+) Arbitrary File Download

Feb 9, 2026 Patched in 6.1.16 (9d)

CVE-2025-68591medium · 4.3Missing Authorization

Simple File List <= 6.1.16 - Missing Authorization

Dec 25, 2025Unpatched

CVE-2025-54021medium · 5.3Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Simple File List <= 6.1.14 - Unauthenticated Arbitrary File Download

Jul 28, 2025 Patched in 6.1.15 (8d)

CVE-2025-47450medium · 5.3Missing Authorization

Simple File List <= 6.1.13 - Missing Authorization to Unauthenticated Minor Settings Update

May 7, 2025 Patched in 6.1.14 (7d)

CVE-2024-10146medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple File List <= 6.1.11 - Reflected Cross-Site Scripting

Oct 24, 2024 Patched in 6.1.13 (50d)

CVE-2023-39924medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple File List <= 6.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Oct 12, 2023 Patched in 6.1.10 (103d)

CVE-2023-44227critical · 9.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Simple File List <= 6.1.9 - Unauthenticated Arbitrary File Deletion

Sep 28, 2023 Patched in 6.1.10 (117d)

CVE-2023-1025medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple File List <= 6.0.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Feb 28, 2023 Patched in 6.0.10 (329d)

CVE-2022-3207medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple File List <= 4.4.11 - Reflected Cross-Site Scripting

Sep 19, 2022 Patched in 4.4.12 (491d)

CVE-2022-3208high · 8.8Cross-Site Request Forgery (CSRF)

Simple File List <= 4.4.12 - Cross-Site Request Forgery to Page Creation

Sep 19, 2022 Patched in 4.4.13 (491d)

CVE-2022-3062medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple File List <= 4.4.11 - Reflected Cross-Site Scripting

Aug 26, 2022 Patched in 4.4.12 (515d)

CVE-2020-36847critical · 9.8Unrestricted Upload of File with Dangerous Type

Simple File List < 4.2.3 - Remote Code Execution

Nov 2, 2020 Patched in 4.2.3 (1713d)

CVE-2020-12832medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Simple File List <= 4.2.7 - Arbitrary File Deletion

May 16, 2020 Patched in 4.2.8 (1347d)

WF-fdfb5e74-e52c-4f44-acdc-9740624af9e7-simple-file-listhigh · 8.6Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Simple File List <= 3.2.4 - Arbitrary File Deletion

May 23, 2019 Patched in 3.2.5 (1706d)

CVE-2022-1119high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Simple File List <= 3.2.7 - Arbitrary File Download

May 23, 2019 Patched in 3.2.8 (1706d)

Code Analysis

Analyzed Mar 16, 2026

Simple File List Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

65 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

shell_exec$eeffMpeg = trim(shell_exec($eeCommand));includes\ee-class.php:1142

execexec( $eeCommand, $eeCommandOutput, $eeReturnVal );includes\ee-class.php:1215

execexec( $eeCommand, $eeCommandOutput, $eeReturnVal );includes\ee-class.php:1227

shell_execif(shell_exec('ffmpeg -version')) {includes\ee-functions.php:237

execif(exec($phpExt . ' --version') >= 1.0) { // <<<---- This will be different for Windows tooincludes\ee-functions.php:262

SQL Query Safety

100% prepared1 total queries

Output Escaping

96% escaped68 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

eeSFL_UploadCheck (uploader\ee-class-uploads.php:168)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

Simple File List Attack Surface

Entry Points8

Unprotected7

AJAX Handlers 7

authwp_ajax_simplefilelist_upload_jobee-simple-file-list.php:47

noprivwp_ajax_simplefilelist_upload_jobee-simple-file-list.php:48

authwp_ajax_simplefilelist_edit_jobee-simple-file-list.php:51

noprivwp_ajax_simplefilelist_edit_jobee-simple-file-list.php:52

authwp_ajax_simplefilelist_upload_jobee-simple-file-list.php:475

authwp_ajax_simplefilelist_edit_jobee-simple-file-list.php:487

authwp_ajax_simplefilelist_confirmee-simple-file-list.php:497

Shortcodes 1

[eeSFL] ee-simple-file-list.php:370

WordPress Hooks 6

filteraioseo_conflicting_shortcodesee-simple-file-list.php:56

actioninitee-simple-file-list.php:183

actioninitee-simple-file-list.php:393

actionwp_enqueue_scriptsee-simple-file-list.php:408

actionadmin_enqueue_scriptsee-simple-file-list.php:453

actionadmin_menuee-simple-file-list.php:781

Maintenance & Trust

Simple File List Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 29, 2026

PHP min version7.4

Downloads206K

Community Trust

Rating86/100

Number of ratings26

Active installs5K

Alternatives

Simple File List Alternatives

Simple File List Media

ee-simple-file-list-media

100

This plugin adds audio and video players to Simple File List.

80 No CVEs

Zippy

zippy

Incredibly easy solution to archive pages and posts as zip file and unpack them back even on the other website!

10K 1 unpatched

FileBird Document Library

filebird-document-library

Create WordPress document library using FileBird and Gutenberg or any WordPress page builder.

4K 1 CVE

Shared Files – Frontend File Upload Form & Secure File Sharing

shared-files

File management plugin featuring frontend file upload form, download manager, statistics and download log.

4K 8 CVEs

File Sharing & Download Manager – User Private Files

user-private-files

Secure WordPress file sharing & download manager. Upload, manage & share private files with users safely.

1K 7 CVEs

Developer Profile

Simple File List Developer Profile

Mitchell Bennis

4 plugins · 5K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

573 days

View full developer profile

Detection Fingerprints

How We Detect Simple File List

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/simple-file-list/css/sfl-styles.css/wp-content/plugins/simple-file-list/css/sfl-tiles.css/wp-content/plugins/simple-file-list/css/sfl-flex.css/wp-content/plugins/simple-file-list/css/sfl-admin.css/wp-content/plugins/simple-file-list/js/sfl-scripts.js/wp-content/plugins/simple-file-list/uploader/js/sfl-upload.js

Script Paths

/wp-content/plugins/simple-file-list/js/sfl-scripts.js/wp-content/plugins/simple-file-list/uploader/js/sfl-upload.js

Version Parameters

/wp-content/plugins/simple-file-list/css/sfl-styles.css?ver=/wp-content/plugins/simple-file-list/css/sfl-tiles.css?ver=/wp-content/plugins/simple-file-list/css/sfl-flex.css?ver=/wp-content/plugins/simple-file-list/css/sfl-admin.css?ver=/wp-content/plugins/simple-file-list/js/sfl-scripts.js?ver=/wp-content/plugins/simple-file-list/uploader/js/sfl-upload.js?ver=

HTML / DOM Fingerprints

CSS Classes

ee-sfl-wrappersfl-main-wrappersfl-tablesfl-tilessfl-flexsfl-upload-formsfl-admin-sectionsfl-file-row+1 more

HTML Comments

Data Attributes

data-ee-sfl-iddata-ee-sfl-typedata-ee-sfl-action

JS Globals

eesfl_vars

REST Endpoints

/wp-json/simplefilelist/v1/upload/wp-json/simplefilelist/v1/edit

Shortcode Output

[eeSFL][eeSFLS]

FAQ